Locking Up Internet Security

The protection of security based on certificates can be applied to Web servers, e-mail, documents, files or any appicatoin that supports them. Currently, only a limited number of applications support the use of certificates, with analysts predicting that certificates will be widely implemented by 2002. A head start on your Internet security strategy is your best plan.

• 11/01/1999

The Internet continues to unfold as the marketplace of the future, beyond the initial stage of a giant electronic library to a platform for business. Last year, the United States conducted an estimated $29 billion worth of business over the Internet. Most of the actual transactions were "protected" by technology called Single Sockets Layer, or SSL. SSL displays messages saying "you are about to enter a secured session" and shows a small lock icon at the bottom of the screen to let the user know that it is working.

But is SSL enough to protect your enterprise from the vast anonymity of the Internet?

Last year, a Pricewaterhouse Coopers survey reported that at least one security breach occurred at 59 percent of sites selling through the Web. In a yearly study performed by the FBI and Computer Security Institute, participants reported that 57 percent of intrusions into their networks came through the Internet. In a 1999 survey, Ernst and Young report that CEOs identify trust, privacy protection and authentication as the most serious barriers to e-commerce. Or, as a recent New Yorker cartoon points out, "On the Internet, nobody knows you’re a dog."

Because the Internet’s advantages of cost savings and global market access can be offset by the risks of false identity, data corruption and transaction repudiation, security solutions that eliminate these threats are emerging as crucial electronic business technologies. To counter the anonymity of the Internet, organizations must devise security strategies tailored to their way of doing business.

Security, like glue, comes in a variety of strengths, from library paste to epoxy. The appropriate kind of security needs to be applied, depending on the degree of risk involved in the Internet activity.

There are four main security issues most companies face:

• Privacy – Restricting access to an identified audience.

• Identity – Verifying whom the individual user is.

• Non-repudiation – The recording of an event so it cannot later be denied.

Privacy means that only your intended recipient will be able to read your message. Today, most consumer transactions over the Internet are protected by SSL technology. Using SSL, browsers can establish sessions between a desktop and a Web server and encrypt sent messages during transit, protecting them from prying eyes. SSL is the protocol that identifies the participants (browser and server) and privatizes the data in an Internet session. Public key encryption technology and digital certificates are used to encrypt the transmitted information.

Public key technology (PKI) uses two keys for data encryption and decryption. This pair of keys consists of a private key (only you know it) and a public key (freely shared). If the private key is used to encrypt a message, then only the public key will decrypt it, and vice-versa. The public key can be submitted to a certificate authority, along with specific identifying credentials, so a certificate can be issued. A certificate is an electronic document that says the person or entity identified by the certificate is the owner of the public key in the certificate. The private key is held by the owner, exclusively, and is not part of the certificate.

Certificates establish identity in an otherwise anonymous world. SSL, based on server certificates, identifies the server that is receiving your communication. But, because most secured sessions use the certificate solely to encrypt the transmission – not to identify the ultimate receiver – the question remains, who is reading the message?

Client certificates are used to establish personal or corporate identity. You supply a specified credential to establish your identity, along with the public key generated by your browser, then the system automatically and seamlessly submits a request to a certificate authority for a certificate. The certificate can be installed on your browser or encoded on a smartcard. SSL still protects your message, but if you encrypt the message when you send it, then the server will be unable to decrypt the initial transmission without the corresponding key.

Companies should look for solutions that are based on industry-recognized standards and can integrate into existing administrative infrastructures to allow certificates to be handled like other administrative tasks. Scalability is also important. Security solutions should be able to scale to accommodate demand for certificates, PKI queries, large-scale certificate storage and management, and the unpredictable volume "spikes" of the Internet.

Certificates are invaluable in establishing secure communications over the Internet, but when proof-positive identification is required, biometrics – such as fingerprints – are ideal. Fingerprints consistently provide accurate identification of individuals, and cannot be lost or stolen. Many companies and agencies dealing with highly volatile or secure information have been using this technology for years. The ability to use finger images as authentication for data access control has recently become cost effective. Because of the reduced cost and the ultimate secure nature of the technology, Unisys expects to see fingerprint biometrics spread to a wider variety of companies in the near future.

There are many possible uses for this technology. For example, biometrics can be used to control access to workstations and Internet sites. For workstation security, the user logs on by placing a finger on the finger image reader installed at the workstation and entering a user name. The live finger image is compared with the image template stored in the security database on a central authentication server. If there is a match for the specified user name, the individual is authenticated and logged on. In addition to securing sensitive information from unauthorized access, the use of biometrics for identification eliminates the expense and nuisance associated with maintaining and remembering passwords.

In addition to securing workstations, a biometric can be used as the PIN to open a smart card that contains the user’s certificate. The certificate establishes privacy and identifies the sending and receiving parties; the biometric ensures that the person using the certificate is the person it was issued to.

Once a system user has been positively identified, the next order of business is to determine what actions the user is qualified to perform, and what information he or she is allowed to access. Securing Web sites is typically accomplished using an access control list, or ACL. An ACL makes it possible to extend the corporate security perimeter beyond the boundary of the firewall and into the public network. Most firewalls base their access policy on IP addresses – identities associated with the location of a specific piece of hardware, rather than the person using the hardware. But hardware doesn’t sabotage your corporate information; people do.

Helpful security tools let developers create an ACL specifying protected URLs, the users granted access to these pages, and the authentication token or credential that the user must present in order to gain access. Users would first register their authentication token – finger image, password or certificate – in a user credential server before requesting access to restricted URLs. When they request access to a protected resource, they are prompted to present the authentication token and granted access only if there is a match between the token and credential server records.

There are also tools on the market that can be used to enable Web applications to initiate authorization re-verification when specified events take place, such as the passage of a certain amount of time with no activity, or when conditions reach identified guidelines, such as spending limits. This is especially important to businesses that rely on the Internet to communicate with their suppliers because it offers a built-in way to manage that activity without human intervention.

When personal authentication is based on certificates, your system should conform to the X509.v3 certificates recommended by the Internet Electronic Task Force (IETF) standards. The system could also support smartcards, where the user’s digital certificate resides on a microchip within a tamper-proof card, or finger imaging as a biometric credential. These details should be determined by each company’s business need for security, present and future.

Enterprises that allow customers to enter orders on the Internet – especially large orders – need a way to verify both the identity of the person placing the order and the integrity of the message itself. That is, they need a way to prove that the message was received as sent. This makes it impossible for the sender to deny last Friday’s order of 5,000 widgets, or to claim that the order was for 500 widgets instead. This non-repudiation is accomplished with digital signatures.

A digital signature makes it possible to verify that a message has arrived at its destination unchanged. Digital signature technology uses the sender’s private key to encrypt a number that represents, in binary form, the text of the message that is being signed. This number, similar in concept to a check sum, is called a "hash." By encrypting the hash with the private key that only he or she holds, the sender has both established his or her identity as the signer of the document and provided a means to validate the content of the message. The receiver verifies the signature, which includes decrypting with the sender’s public key (thus verifying the sender’s identity), and recalculates the hash to verify its correspondence to the text of the message received.

Digital signatures alone only offer non-repudiation because just the hash is encrypted, not the message itself. When the signature on the document is what is important, this does not matter, but when the privacy of corporate information in the document is involved, it matters a great deal.

In this case, the sender can encrypt parts of or the entire message with the receiver’s public key. Now, only the receiver’s private key can decode it. This level of security, in addition to the digital signature, is important to safeguard the most sensitive and valuable information made available on the Internet.

Certificates and the public key infrastructure they complement form the foundation of modern security technology. How are certificates issued? Is one as good as another?

The legal status of digital signatures is currently under discussion. About 40 states have legislation on the books or under consideration to define the circumstances in which a digital signature can be considered binding. Washington and Utah have created the concept of licensed certificate authorities; a certificate authority recognized by the state as having met specified requirements.

Each certificate authority develops a Certificate Practice Statement that defines the credentials required to receive each class of certificate and the uses to which the certificate can be applied.

For example, a certificate issued upon submission of a notarized request with identity verified by a passport carries a greater degree of trust than one requested over the Web on the basis of an address and driver’s license number.

The Web site www.mbc.com has useful and detailed current information, state by state, on the legal recognition status of digital signatures. The site is maintained by the Chicago law firm of McBride, Baker and Coles. Another site, with summary information, is maintained by the Internet Law & Policy Forum and can be found at www.ilpf.org.

The protection of security based on certificates can be applied to Web servers, e-mail, documents, files or any application that supports them. Currently, only a limited number of applications support the use of certificates. Analysts predict that certificates will be widely implemented by 2002. So, while the little lock on your browser may be enough for some Web communications, it is not wise to base your Internet business on it. That means getting a head start by planning your Internet security strategy today.

Remember, on the Internet you could be talking to a dog.

About the Author: Kathie Wilkening is the Security Products Marketing Manager for Unisys Computer Systems’ business unit, with 26 years experience in the computer industry.

***

Unisys offers Single Point Security software, including Single Point I-Net Certificate Authority, Single Point BioPin, Single Point AuthentiKit, and Single Point File and Mail Security, to tackle security issues. Unisys Single Point Security suite of products makes it possible to issue and manage certificates, secure access to your Web servers, and encrypt e-mail communications or sensitive files.

Single Point I-Net Certificate Authority: SP I-Net CA is a certificate authority based on Xcert Sentry CA technology that offers identification based on certificates and PKI. Using graphical interfaces, it interoperates with other PKI-aware products and can scale up to accommodate massive demand for certificates, PKI queries, and large-scale certificate storage and management. SP I-Net CA is designed to be integrated into existing administrative infrastructures to allow certificates to be handled like other administrative tasks. The SP I-Net CA integrated directory, TransIT 500, is the Unisys X500 directory.

Single Point AuthentiKit: AuthentiKit provides Web developers with tools to create an access control list specifying protected URLs, the users granted access to these pages, and the authentication token or credential that the user must present in order to gain access. AuthentiKit includes server and client software that runs on Microsoft and Netscape servers and browsers. AuthentiKit can also be used to enable Web applications to initiate authorization reverification for specified events. When personal authentication is based on certificates, AuthentiKit works with any X509v3 certificate, including those provided by the SP I-Net Certificate Authority. AuthentiKit also supports the GemSAFE cryptographic smartcard from Gemplus, and finger imaging as a biometric credential.

Single Point BioPin: SP BioPin uses fingerprint technology to control access to workstations and Internet sites. SP BioPin is a combination of fingerprint reader hardware and finger image recognition software. Biometrics can be used as the PIN to open a smart card that contains the user’s certificate and can also be used to protect Internet sites in conjunction with Unisys AuthentiKit. They can also be the log on credential to gain access to a Windows or NT workstation. The SP BioPin solution includes finger image readers imbedded in a keyboard or as stand-alone peripherals.

SP File and Mail Security: SP File and Mail Security solution uses certificates to encrypt messages and identify sender and receiver. It simplifies encryption with a toolbar that works with most types of files. Clicking the icon on the toolbar allows the user to encrypt, decrypt or sign text within any application, a whole document or any file, making different protocols for electronic documents unnecessary.

This solution provides both digital signatures for non-repudiation and public key encryption to secure the contents of electronic communications over the Internet. Using one-click encryption and decryption, it ensures protection for e-mail, files, documents, spreadsheets, databases, presentations, compressed files, graphics, programs, libraries, directories, disks and drives. Users can selectively encrypt any part of a document or e-mail. SP File and Mail Security is compatible with the Unisys SP I-Net Certificate Authority that certifies the authenticity of public keys and the identity of key owners.

For more information, visit www.unisys.com/sp-security.